SQL Injection Prevention

SQL Injection Prevention

I was just wondering if PowerStore's code was written with SQL injection prevention in mind? I do see the Validated Field string in the admin log-in page- will this prevent the dreaded, " OR 1 " attack? I was wondering if measures are included to prevent DB table deletions.

Lastly, I'm concerned about the DB security, when I looked at my database, I noticed that the user passwords are not encrypted. Can you provide some information about a secure method of storing and retrieving user passwords?

I tried to encrypt the user passwords table in MySQL, but of course, when the user retrieves their lost password- it's returned to the user in the encrypted format.

As far as I know all of the code in the PowerStore was written in a way to prevent SQL injection and database manipulation like you have noted. It uses the standard DW code for the recordsets which has measures to prevent injection. Also the triggers for the various server behaviors are designed in such a way to prevent external or cross site scripting.

As for encrypting the passwords you can do this in the php code. The idea is that you insert the encrypted version of the password into the db. When the user logs in you take the value from the user and encrypt it when you are comparing it to the value in the db.

When it comes to retrieving the password though you will not be able to directly do so. The best you can do in this case is to send the user an email to the email address they have on file. In here you post a reset password link that has a unique identifier that you store in the db. If the user id matches the record in the db and the identifier is correct then you can just have the user set the new password.

This is kind of a high level overview of the process. There is a Solution Recipe that goes along with Security Assist to help you implement an encrypted password system like this. The Solution Recipe can be found on the Security Assist support page.